WannaCry ransomware is a wake-up call for organizations and governments around the world.

This on-going cyber threat will continue to adapt to take advantage of weaknesses in IT systems and procedures. New variants of this malware may cause even more damage if you do not act immediately

Early samples have revealed that the ransomware is spread over local networks and the internet by abusing Server Message Block (SMB) protocol weaknesses. Although no WannaCry ‘smoking gun’ infection emails have yet been found, it is highly likely that future variants will use email.

This short guide is designed to help all organizations complete a review of network security, backup and business continuity systems and processes.

We are also providing additional insights into how to make easy and quick configuration changes to ensure your Targeted Threat Protection solution is optimized. As many of you already know, a comprehensive “defense in depth” strategy is the best approach to mitigation of current and future variants of WannaCry and other ransomware.

Patching

Every organization must ensure its IT systems are regularly updated. Microsoft security updates are released on the second Tuesday of each month (Patch Tuesday).

Microsoft released a security update back in March which addresses the vulnerability that WannaCry is exploiting. For those organizations who have not yet applied the security update, you should immediately deploy Microsoft Security Bulletin MS17-010.

URL Protect - Ensure a policy is applied to all users. Rewriting all URLs to scan for unsafe content at time-of-click is the best approach to preventing inbound URL-based phishing. Configure a policy in line with our URL Protect best practice guide.

Attachment management policy- Use the most up to date attachment management definitions as there are reports of executable files masquerading as Excel files with an administrator hold on dangerous files types.

Suspected Malware policy - with the ability to hold Office files containing macros provides another layer of detection but does not provide the analysis provided by Attachment Protect.

Since a very high percentage of ransomware is spread by email attachments, we urge organizations to consider using sandboxing and/or safe file conversion services.

DNS authentication capabilities such as DKIM and SPF can help stop attackers from spoofing or hijacking the email domains of trusted senders, thus effectively taking away one method attackers use to fool their intended victims. DMARC, the combination of these two services adds an extra layer of defense.

Preventive measures alone can’t keep up with the fast-evolving nature of ransomware attacks and as this attack highlights, there are many ways for an infection to enter an organization.

It’s vital you regularly backup critical data and ensure that ransomware cannot spread to archive files. Ransomware can take time to encrypt large volumes of files, particularly across a network share. It is imperative to ensure your archive window is long enough to go back before any infection begins.

Backup and recovery measures only work after an attack, and cost organizations in downtime and IT resources dealing with the attack and aftermath.

Organizations must be able to continue to operate during the infection period and recover quickly once the infection has been removed.

Should firms ever pay a ransom?

We advise organizations never to succumb to the pressure to pay the ransom to regain access to their applications and data.

There is no guarantee this will unlock files and further motivates and finances attackers to expand their ransomware campaigns.